Most ransomware is used simply to make money. However, it can also be used as part of an attacker’s exit strategy to wipe out forensic evidence of a more serious breach.

Although ransomware attacks are on the decline — Darktrace suggests infections have decreased by as much as 28 percent between 2017 and 2018 — the threat these extortion attacks pose is still very real and for reasons beyond disruption to operations. More sophisticated attackers are using ransomware to cover their tracks in a more serious attack.

This gives ransomware victims another worry in addition to business disruption recovery costs: Was the attack really just to extort money or is it a cover for something more sinister? Answering that question requires ransomware victims to take due diligence steps after the attack.

When ransomware is being used to cover tracks

Similar to how threat actors use DDoS attacks as a distraction technique to hide more serious attacks going in the background, security researchers are finding that attackers are using ransomware as part of their exit strategy to help cover up and erase clues of a more serious incident. Though delivered through the same means as regular ransomware — usually a phishing email and then a link or attachment loaded with a malicious file — the goal is to both delete potential forensic breadcrumbs and hope organizations don’t investigate further after recovering from the ransomware infection.

“The typical use case for ransomware is a shotgun approach type distribution campaign of dropping ransomware on people's machines, and then you charge them for getting their data or services back,” says Israel Barak, CISO at Cybereason. “Another use case is for covering tracks. These tools have the façade of ransomware: They would encrypt data, they would post a ransom note, and they would ask for money. They will even give you details on how to pay, but they're used to remove things from the endpoint while throwing off defenders into believing that the reason why that data was lost was because of a random hit by ransomware.”

NotPetya might be the most well-known of these wiper attacks. However, other incidents in recent years have used ransomware to hide evidence. In 2017 the Far Eastern International Bank in Taiwan was hit with a variant of the Hermes malware to hide that criminals were attempting to steal $60 million. An analysis by McAfee noted how the variant used in the attack didn’t actually post a ransom note, while BAE attributed the attack to the North Korea-linked Lazarus Group. A number of companies in Japan were hit with the ONI ransomware in 2017 to cover up an elaborate hacking operation by deleting Windows event logs to cover tracks and avoid log-based detection.

Arsene says he has seen this happen with attacks on all verticals ranging from financial to critical infrastructure. “There’s a definite pattern, suggesting it will probably become the standard MO for covering tracks.”

Other strains of wiper ransomware include GoldenEye (also known as Petrwrap or Nyetya), Ordinypt, LockerGoga, while older strains include KillDisk and Shamoon.

What evidence do attackers hide with ransomware?

The main goals of using ransomware as a cover-up tool is to hide anything that forensic investors could use to understand an incident, including the tools techniques and procedures that would point to how threat actors got in, how long they were in, and what information was accessed or extracted. “Wiper ransomware could encrypt everything from log files to additional binaries that have been dropped by threat actors to move laterally and ensure persistency,” says Arsene. “Assuming that somehow victims manage to decrypt the data by using a decryption tool, there’s also MBR-encrypting ransomware that makes it even more difficult to recover any lost information.”

Cybereason says that ransomware can also be dropped in specific places to trigger processes to re-image and clean an area and have the IT department unknowingly help with the attacker’s clean-up operations. “You can have the best forensic investigators in the world, but if a machine was wiped properly, there's no forensic evidence that they will be able to extract from it,” says Barak.

Pseudo- and wiper ransomware vs. business priorities

Removing ransomware without proper investigation could mean key clues are being missed, but that comes with the counterpoint that ransomware attacks, while decreasing, are still prevalent and can be hard to investigate if the information can’t be decrypted. “It’s precisely because ransomware has become so common that most companies might not spend too much time investigating if the root cause of an attack was something else than purely financially motivated,” says Arsene. “Most of the time, to ensure minimum downtime and business continuity, companies restore from backups as fast as possible and leave the forensic work on the side.”

As demonstrated by the attack on shipping giant Maersk or the recent Norsk Hydro incident, ransomware infections can be incredibly disruptive, public and costly. Maersk lost an estimated $300 million in the wake of NotPetya. Unsurprisingly, companies often focus on getting operations back up and running as soon as possible to avoid further losses, and often put thorough investigation at the bottom of the list of priorities.

“Standard operating procedure is usually to restore from backup,” explains Barak. “Obviously, that's a challenge on a large scale if multiple servers or endpoints were impacted as it is a time-consuming activity during which services are unavailable and you're basically losing money. From an attacker’s perspective, ideally, defenders will focus on recovering service availability, assuming that they were randomly hit by a generic piece of ransomware as opposed to investing time and effort to understand how it happened and why and think about what else is going on here.”

Warning signs of pseudo-ransomware

Telling the difference between a genuine extortion attempt and a cover up is incredibly difficult. BitDefender’s Arsene says any ransomware attack that doesn’t display a ransom note is usually a dead giveaway that attackers could be covering their tracks, but there are few other easy tells.

“In the vast majority of the cases that we've seen where wipers were used in the facade of ransomware, there wasn't anyone there to collect the funds,” says Cybereasons’ Barak. “Usually they are modified versions of known ransomware strain. The attack group takes a ransomware strain that is fairly well-known, and they just modify it to serve as a wiper.”

While paying in cases of extortion attempts is never recommended, in this example you may be wasting money by sending it to an attacker that isn’t set up to receive funds or doesn’t have the decryption key — or they may have already taken what they wanted from you.

Instead, organizations should treat any ransomware attack as a potential data breach and should trigger appropriate investigation and forensic procedures. The best way to really know the ransomware’s intent is to be proactive and gain as much visibility into network and endpoint activity as possible before an attack happens.

“What ransomware cannot hide is network traffic, which is why during a forensic investigation it’s important to cover that aspect as well, as it usually reveals anomalous endpoint behavior, lateral movement, and even communication with C&Cs,” says Arsene. “Looking for signs that a ransomware infection could be used to cover a data breach should also involve performing a network-level investigation and analyzing all network and endpoint event information dating back to days, weeks and even months prior to the ransomware incident.”